Packets and Protocols Security Devices and Practices

Packets and ProtocolsPackets and Protocols

Security Devices and Practices

Information security is an emerging Information security is an emerging discipline that combines the efforts of discipline that combines the efforts of people, policy, education, training, people, policy, education, training, awareness, procedures, and technology awareness, procedures, and technology to improve the confidentiality, integrity, to improve the confidentiality, integrity, and availability of an organization’s and availability of an organization’s information assetsinformation assets

Technical controls alone cannot ensure a Technical controls alone cannot ensure a secure IT environment, but they are secure IT environment, but they are usually an essential part of information usually an essential part of information security programssecurity programs


Although technical controls can be an Although technical controls can be an important part of an information security important part of an information security program, they must be combined with sound program, they must be combined with sound policy and education, training, and policy and education, training, and awareness efforts awareness efforts

Some of the most powerful and widely used Some of the most powerful and widely used technical security mechanisms include:technical security mechanisms include:– Access controlsAccess controls– FirewallsFirewalls– Dial-up protectionDial-up protection– Intrusion detection systemsIntrusion detection systems– Scanning and analysis toolsScanning and analysis tools– Encryption systemsEncryption systems



Access control encompasses three Access control encompasses three processes: processes: – Confirming the identity of the entity accessing Confirming the identity of the entity accessing

a logical or physical area (authentication)a logical or physical area (authentication)– Determining which actions that entity can Determining which actions that entity can

perform in that physical or logical area perform in that physical or logical area (authorization)(authorization)

– Logging their actions (accounting)Logging their actions (accounting) A successful access control approach—A successful access control approach—

whether intended to control physical whether intended to control physical access or logical access—always consists access or logical access—always consists of all three.of all three.


Mechanism typesMechanism types– Something you knowSomething you know– Something you haveSomething you have– Something you are Something you are – Something you produce Something you produce

Strong authentication uses at least Strong authentication uses at least two different authentication two different authentication mechanism typesmechanism types


Something you know:Something you know:– This type of authentication mechanism verifies the This type of authentication mechanism verifies the

user’s identity by means of a password, user’s identity by means of a password, passphrase, or other unique codepassphrase, or other unique code

A password is a private word or combination of A password is a private word or combination of characters that only the user should knowcharacters that only the user should know

A passphrase is a plain-language phrase, typically A passphrase is a plain-language phrase, typically longer than a password, from which a virtual longer than a password, from which a virtual password is derivedpassword is derived

– A good rule of thumb is to require that passwords A good rule of thumb is to require that passwords be at least eight characters long and contain at be at least eight characters long and contain at least one number and one special characterleast one number and one special character


Something you haveSomething you have– This authentication mechanism makes use of This authentication mechanism makes use of

something (a card, key, or token) that the user something (a card, key, or token) that the user or the system possessesor the system possesses

– One example is a dumb card (such as an ATM One example is a dumb card (such as an ATM card) with magnetic stripescard) with magnetic stripes

– Another example is the smart card containing Another example is the smart card containing a processor a processor

– Another device often used is the cryptographic Another device often used is the cryptographic token, a processor in a card that has a displaytoken, a processor in a card that has a display


Something you are:Something you are:– This authentication mechanism takes This authentication mechanism takes

advantage of something inherent in the advantage of something inherent in the user that is evaluated using biometricsuser that is evaluated using biometrics

– Most of the technologies that scan Most of the technologies that scan human characteristics convert these human characteristics convert these images to obtain some form of minutiaeimages to obtain some form of minutiae—unique points of reference that are —unique points of reference that are digitized and stored in an encrypted digitized and stored in an encrypted formatformat


Something you do:Something you do:– This type of authentication makes use of This type of authentication makes use of

something the user performs or something the user performs or producesproduces

– It includes technology related to It includes technology related to signature recognition and voice signature recognition and voice recognition, for example recognition, for example



In general, authorization can be handled by:In general, authorization can be handled by:– Authorization for each authenticated user, in which the Authorization for each authenticated user, in which the

system performs an authentication process to verify the system performs an authentication process to verify the specific entity and then grants access to resources for specific entity and then grants access to resources for only that entityonly that entity

– Authorization for members of a group, in which the Authorization for members of a group, in which the system matches authenticated entities to a list of group system matches authenticated entities to a list of group memberships, and then grants access to resources memberships, and then grants access to resources based on the group’s access rightsbased on the group’s access rights

– Authorization across multiple systems, in which a central Authorization across multiple systems, in which a central authentication and authorization system verifies entity authentication and authorization system verifies entity identity and grants a set of credentials to the verified identity and grants a set of credentials to the verified entityentity



To appropriately manage access controls, To appropriately manage access controls, an organization must have in place a an organization must have in place a formal access control policy, which formal access control policy, which determines how access rights are granted determines how access rights are granted to entities and groupsto entities and groups

This policy must include provisions for This policy must include provisions for periodically reviewing all access rights, periodically reviewing all access rights, granting access rights to new employees, granting access rights to new employees, changing access rights when job roles changing access rights when job roles change, and revoking access rights as change, and revoking access rights as appropriateappropriate


FirewallsFirewalls– In information security, a firewall is any device In information security, a firewall is any device

that prevents a specific type of information that prevents a specific type of information from moving between two networks, often the from moving between two networks, often the outside, known as the un-trusted network (e.g., outside, known as the un-trusted network (e.g., the Internet), and the inside, known as the the Internet), and the inside, known as the trusted networktrusted network

The firewall may be a separate computer The firewall may be a separate computer system, a service running on an existing system, a service running on an existing router or server, or a separate network router or server, or a separate network containing a number of supporting devicescontaining a number of supporting devices


Packet Filtering RoutersPacket Filtering Routers– Most organizations with an Internet connection Most organizations with an Internet connection

use some form of router between their internal use some form of router between their internal networks and the external service providernetworks and the external service provider

– Many of these routers can be configured to Many of these routers can be configured to block packets that the organization does not block packets that the organization does not allow into the networkallow into the network

Such an architecture lacks auditing and Such an architecture lacks auditing and strong authentication, and the complexity strong authentication, and the complexity of the access control lists used to filter the of the access control lists used to filter the packets can grow to a point that degrades packets can grow to a point that degrades network performancenetwork performance


When evaluating a firewall, ask the following When evaluating a firewall, ask the following questions:questions:– What type of firewall technology offers the right balance What type of firewall technology offers the right balance

between protection and cost for the needs of the between protection and cost for the needs of the organization?organization?

– What features are included in the base price? What What features are included in the base price? What features are available at extra cost? Are all cost factors features are available at extra cost? Are all cost factors known?known?

– How easy is it to set up and configure the firewall? How How easy is it to set up and configure the firewall? How accessible are the staff technicians who can competently accessible are the staff technicians who can competently configure the firewall?configure the firewall?

– Can the candidate firewall adapt to the growing network Can the candidate firewall adapt to the growing network in the target organization?in the target organization?


Some of the best practices for firewall use are: Some of the best practices for firewall use are: – All traffic from the trusted network is allowed outAll traffic from the trusted network is allowed out– The firewall device is never accessible directly from the The firewall device is never accessible directly from the

public networkpublic network– Simple Mail Transport Protocol (SMTP) data is allowed to Simple Mail Transport Protocol (SMTP) data is allowed to

pass through the firewall, but should be routed to a pass through the firewall, but should be routed to a SMTP gatewaySMTP gateway

– All Internet Control Message Protocol (ICMP) data should All Internet Control Message Protocol (ICMP) data should be deniedbe denied

– Telnet (terminal emulation) access to all internal servers Telnet (terminal emulation) access to all internal servers from the public networks should be blockedfrom the public networks should be blocked

– When Web services are offered outside the firewall, When Web services are offered outside the firewall, HTTP traffic should be handled by some form of proxy HTTP traffic should be handled by some form of proxy access or DMZ architectureaccess or DMZ architecture



A host-based IDS works by A host-based IDS works by configuring and classifying various configuring and classifying various categories of systems and data filescategories of systems and data files– In many cases, IDSs provide only a few In many cases, IDSs provide only a few

general levels of alert notificationgeneral levels of alert notification– Unless the IDS is very precisely Unless the IDS is very precisely

configured, benign actions can generate configured, benign actions can generate a large volume of false alarmsa large volume of false alarms

– Host-based IDSs can monitor multiple Host-based IDSs can monitor multiple computers simultaneouslycomputers simultaneously


Network-based IDSs monitor network traffic and, Network-based IDSs monitor network traffic and, when a predefined condition occurs, notify the when a predefined condition occurs, notify the appropriate administratorappropriate administrator– The network-based IDS looks for patterns of network The network-based IDS looks for patterns of network

traffictraffic– Network IDSs must match known and unknown attack Network IDSs must match known and unknown attack

strategies against their knowledge base to determine strategies against their knowledge base to determine whether an attack has occurredwhether an attack has occurred

– These systems yield many more false-positive readings These systems yield many more false-positive readings than do host-based IDSs, because they are attempting than do host-based IDSs, because they are attempting to read the network activity pattern to determine what is to read the network activity pattern to determine what is normal and what is notnormal and what is not


A signature-based IDS or knowledge-based IDS A signature-based IDS or knowledge-based IDS examines data traffic for something that matches examines data traffic for something that matches the signatures, which comprise preconfigured, the signatures, which comprise preconfigured, predetermined attack patternspredetermined attack patterns– The problem with this approach is that the signatures The problem with this approach is that the signatures

must be continually updated, as new attack strategies must be continually updated, as new attack strategies emergeemerge

– A weakness of this method is the time frame over which A weakness of this method is the time frame over which attacks occurattacks occur

– If attackers are slow and methodical, they may slip If attackers are slow and methodical, they may slip undetected through the IDS, as their actions may not undetected through the IDS, as their actions may not match a signature that includes factors based on match a signature that includes factors based on duration of the eventsduration of the events


The statistical anomaly-based IDS (stat IDS) or The statistical anomaly-based IDS (stat IDS) or behavior-based IDS first collects data from normal behavior-based IDS first collects data from normal traffic and establishes a baselinetraffic and establishes a baseline– It then periodically samples network activity, based on It then periodically samples network activity, based on

statistical methods, and compares the samples to the statistical methods, and compares the samples to the baselinebaseline

– When the activity falls outside the baseline parameters When the activity falls outside the baseline parameters (known as the clipping level), the IDS notifies the (known as the clipping level), the IDS notifies the administratoradministrator

– The advantage of this approach is that the system is The advantage of this approach is that the system is able to detect new types of attacks, because it looks for able to detect new types of attacks, because it looks for abnormal activity of any typeabnormal activity of any type


Managing IDSsManaging IDSs– Just as with any alarm system, if there is no Just as with any alarm system, if there is no

response to an alert, then an alarm does no response to an alert, then an alarm does no goodgood

– IDSs must be configured using technical IDSs must be configured using technical knowledge and adequate business and security knowledge and adequate business and security knowledge to differentiate between routine knowledge to differentiate between routine circumstances and low, moderate, or severe circumstances and low, moderate, or severe threatsthreats

– A properly configured IDS can translate a A properly configured IDS can translate a security alert into different types of notificationsecurity alert into different types of notification

– A poorly configured IDS may yield only noiseA poorly configured IDS may yield only noise


RADIUS and TACACS are systems that RADIUS and TACACS are systems that authenticate the credentials of users who authenticate the credentials of users who are trying to access an organization’s are trying to access an organization’s network via a dial-up connectionnetwork via a dial-up connection

A Remote Authentication Dial-In User A Remote Authentication Dial-In User Service (RADIUS) system centralizes the Service (RADIUS) system centralizes the management of user authentication by management of user authentication by placing the responsibility for placing the responsibility for authenticating each user in the central authenticating each user in the central RADIUS serverRADIUS server


When a remote access server (RAS) When a remote access server (RAS) receives a request for a network receives a request for a network connection from a dial-up client, it connection from a dial-up client, it passes the request along with the user’s passes the request along with the user’s credentials to the RADIUS server; credentials to the RADIUS server; RADIUS then validates the credentialsRADIUS then validates the credentials

The Terminal Access Controller Access The Terminal Access Controller Access Control System (TACACS) works Control System (TACACS) works similarly and is based on a client/server similarly and is based on a client/server configurationconfiguration



Scanning and analysis tools can find Scanning and analysis tools can find vulnerabilities in systems, holes in security vulnerabilities in systems, holes in security components, and other unsecured aspects of the components, and other unsecured aspects of the networknetwork

Conscientious administrators will have several Conscientious administrators will have several informational Web sites bookmarked, and they informational Web sites bookmarked, and they frequently browse for new vulnerabilities, recent frequently browse for new vulnerabilities, recent conquests, and favorite assault techniquesconquests, and favorite assault techniques

There is nothing wrong with security There is nothing wrong with security administrators using the tools used by attackers administrators using the tools used by attackers to examine their own defenses and search out to examine their own defenses and search out areas of vulnerabilityareas of vulnerability


WPA is an industry standard, created WPA is an industry standard, created by the Wi-Fi Allianceby the Wi-Fi Alliance

Has some compatibility issues with Has some compatibility issues with older WAPsolder WAPs

Provides increased capabilities for Provides increased capabilities for authentication, encryption, and authentication, encryption, and throughputthroughput


Vulnerability scanners, which are Vulnerability scanners, which are variants of port scanners, are variants of port scanners, are capable of scanning networks for capable of scanning networks for very detailed informationvery detailed information

They identify exposed user names They identify exposed user names and groups, show open network and groups, show open network shares, and expose configuration shares, and expose configuration problems and other server problems and other server vulnerabilitiesvulnerabilities


A packet sniffer is a network tool that A packet sniffer is a network tool that collects and analyzes packets on a collects and analyzes packets on a networknetwork

It can be used to eavesdrop on network It can be used to eavesdrop on network traffictraffic

A packet sniffer must be connected A packet sniffer must be connected directly to a local network from an directly to a local network from an internal locationinternal location


To use a packet sniffer legally, you To use a packet sniffer legally, you must:must:– Be on a network that the organization Be on a network that the organization

owns, not leasesowns, not leases– Be under the direct authorization of the Be under the direct authorization of the

network’s ownersnetwork’s owners– Have the knowledge and consent of the Have the knowledge and consent of the

usersusers– Have a justifiable business reason for Have a justifiable business reason for

doing sodoing so


Content FiltersContent Filters– Another type of utility that effectively protects the Another type of utility that effectively protects the

organization’s systems from misuse and unintentional organization’s systems from misuse and unintentional denial-of-service conditions is the content filterdenial-of-service conditions is the content filter

– A content filter is a software program or a A content filter is a software program or a hardware/software appliance that allows administrators hardware/software appliance that allows administrators to restrict content that comes into a networkto restrict content that comes into a network

– The most common application of a content filter is the The most common application of a content filter is the restriction of access to Web sites with non–business-restriction of access to Web sites with non–business-related material, such as pornography related material, such as pornography

– Another application is the restriction of spam e-mailAnother application is the restriction of spam e-mail– Content filters ensure that employees are using network Content filters ensure that employees are using network

resources appropriatelyresources appropriately


Managing Scanning and Analysis Tools– It is vitally important that the security manager It is vitally important that the security manager

be able to see the organization’s systems and be able to see the organization’s systems and networks from the viewpoint of potential networks from the viewpoint of potential attackersattackers

– The security manager should develop a The security manager should develop a program using in-house resources, contractors, program using in-house resources, contractors, or an outsourced service provider to or an outsourced service provider to periodically scan his or her own systems and periodically scan his or her own systems and networks for vulnerabilities with the same tools networks for vulnerabilities with the same tools that a typical hacker might use that a typical hacker might use


Drawbacks to using scanners and analysis tools, Drawbacks to using scanners and analysis tools, content filters, etc:content filters, etc:– These tools do not have human-level capabilitiesThese tools do not have human-level capabilities– Most tools function by pattern recognition, so they only Most tools function by pattern recognition, so they only

handle known issues handle known issues – Most tools are computer-based, so they are prone to Most tools are computer-based, so they are prone to

errors, flaws, and vulnerabilities of their ownerrors, flaws, and vulnerabilities of their own– All of these tools are designed, configured, and operated All of these tools are designed, configured, and operated

by humans and are subject to human errorsby humans and are subject to human errors– Some governments, agencies, institutions, and Some governments, agencies, institutions, and

universities have established policies or laws that universities have established policies or laws that protect the individual user’s right to access contentprotect the individual user’s right to access content

– Tool usage and configuration must comply with an Tool usage and configuration must comply with an explicitly articulated policy, and the policy must provide explicitly articulated policy, and the policy must provide for valid exceptionsfor valid exceptions


E-Mail SecurityE-Mail Security– Secure Multipurpose Internet Mail Extensions Secure Multipurpose Internet Mail Extensions

(S/MIME) builds on the Multipurpose Internet Mail (S/MIME) builds on the Multipurpose Internet Mail Extensions (MIME) encoding format by adding Extensions (MIME) encoding format by adding encryption and authentication via digital signatures encryption and authentication via digital signatures based on public key cryptosystemsbased on public key cryptosystems

– Privacy Enhanced Mail (PEM) has been proposed by Privacy Enhanced Mail (PEM) has been proposed by the Internet Engineering Task Force (IETF) as a the Internet Engineering Task Force (IETF) as a standard that will function with public key standard that will function with public key cryptosystemscryptosystems

– PEM uses 3DES symmetric key encryption and RSA for PEM uses 3DES symmetric key encryption and RSA for key exchanges and digital signatureskey exchanges and digital signatures


Pretty Good Privacy (PGP) was Pretty Good Privacy (PGP) was developed by Phil Zimmerman and developed by Phil Zimmerman and uses the IDEA Cipher, a 128-bit uses the IDEA Cipher, a 128-bit symmetric key block encryption symmetric key block encryption algorithm with 64-bit blocks for algorithm with 64-bit blocks for message encodingmessage encoding– Like PEM, it uses RSA for symmetric key Like PEM, it uses RSA for symmetric key

exchange and to support digital exchange and to support digital signaturessignatures


IP Security (IPSec) is the primary and now dominant IP Security (IPSec) is the primary and now dominant cryptographic authentication and encryption product of cryptographic authentication and encryption product of the IETF’s IP Protocol Security Working Groupthe IETF’s IP Protocol Security Working Group

IPSec combines several different cryptosystems: IPSec combines several different cryptosystems: – Diffie-Hellman key exchange for deriving key material Diffie-Hellman key exchange for deriving key material

between peers on a public networkbetween peers on a public network– Public key cryptography for signing the Diffie-Hellman Public key cryptography for signing the Diffie-Hellman

exchanges to guarantee the identity of the two parties exchanges to guarantee the identity of the two parties – Bulk encryption algorithms, such as DES, for encrypting the Bulk encryption algorithms, such as DES, for encrypting the

datadata– Digital certificates signed by a certificate authority to act as Digital certificates signed by a certificate authority to act as

digital ID cardsdigital ID cards


IPSec has two components: IPSec has two components: – The IP Security protocol itself, which The IP Security protocol itself, which

specifies the information to be added to specifies the information to be added to an IP packet and indicates how to an IP packet and indicates how to encrypt packet dataencrypt packet data

– The Internet Key Exchange, which uses The Internet Key Exchange, which uses asymmetric key exchange and asymmetric key exchange and negotiates the security associationsnegotiates the security associations


IPSec works in two modes of operation: transport IPSec works in two modes of operation: transport and tunneland tunnel– In transport mode, only the IP data is encrypted—not the In transport mode, only the IP data is encrypted—not the

IP headers themselves; this allows intermediate nodes to IP headers themselves; this allows intermediate nodes to read the source and destination addressesread the source and destination addresses

– In tunnel mode, the entire IP packet is encrypted and In tunnel mode, the entire IP packet is encrypted and inserted as the payload in another IP packetinserted as the payload in another IP packet

IPSec and other cryptographic extensions to IPSec and other cryptographic extensions to TCP/IP are often used to support a virtual private TCP/IP are often used to support a virtual private network (VPN), a private, secure network network (VPN), a private, secure network operated over a public and insecure networkoperated over a public and insecure network


Securing the WEBSecuring the WEB– Secure Electronic Transactions (SET)Secure Electronic Transactions (SET)

Developed by MasterCard and VISA in 1997 to provide Developed by MasterCard and VISA in 1997 to provide protection from electronic payment fraudprotection from electronic payment fraud

Encrypts credit card transfers with DES for encryption Encrypts credit card transfers with DES for encryption and RSA for key exchangeand RSA for key exchange

– Secure Sockets Layer (SSL)Secure Sockets Layer (SSL) Developed by Netscape in 1994 to provide security for Developed by Netscape in 1994 to provide security for

e-commerce transactionse-commerce transactions Mainly relies on RSA for key transfer and on IDEA, Mainly relies on RSA for key transfer and on IDEA,

DES, or 3DES for encrypted symmetric key-based DES, or 3DES for encrypted symmetric key-based data transferdata transfer


Secure Hypertext Transfer Protocol Secure Hypertext Transfer Protocol (SHTTP)(SHTTP)– Provides secure e-commerce transactions as Provides secure e-commerce transactions as

well as encrypted Web pages for secure data well as encrypted Web pages for secure data transfer over the Web, using different transfer over the Web, using different algorithmsalgorithms

Secure Shell (SSH)Secure Shell (SSH)– Provides security for remote access Provides security for remote access

connections over public networks by using connections over public networks by using tunneling, authentication services between a tunneling, authentication services between a client and a serverclient and a server

– Used to secure replacement tools for terminal Used to secure replacement tools for terminal emulation, remote management, and file emulation, remote management, and file transfer applicationstransfer applications


Securing AuthenticationSecuring Authentication– A final use of cryptosystems is to provide A final use of cryptosystems is to provide

enhanced and secure authenticationenhanced and secure authentication– One approach to this issue is provided by One approach to this issue is provided by

Kerberos, which uses symmetric key Kerberos, which uses symmetric key encryption to validate an individual user’s encryption to validate an individual user’s access to various network resourcesaccess to various network resources

– It keeps a database containing the private keys It keeps a database containing the private keys of clients and servers that are in the of clients and servers that are in the authentication domain that it supervisesauthentication domain that it supervises


Documents

Packets and Protocols Security Devices and Practices